The Coming of Mobile Malware - Still Rare, but no Less Sinister Than Their PC Counterparts

During my high school years, in a time of dial-up modems and Windows 98, I was a huge computer geek (shocking, isn’t it?). One day, I received an e-mail from a friend, which had a small executable as an attachment. The e-mail contained a personal note from the sender, so I did not suspect it to be malicious. When I opened the executable, a small game of whack-a-mole opened up, with Bill Gates face in the role of the mole. I played it for a few seconds and moved on to explore the web, thinking nothing of it. Shortly afterwards, my friend called me up and asked “Want to see something cool?”, and my CD-ROM tray opened up all by itself. I was flabbergasted. Later I’ve learned from the friend that he installed on my computer an application called “Back Orifice”.

At that time, I thought it was cool and didn’t even consider it to be malicious. But, like every good teen “bromance,” our friendship ended and a few months later his newfound friends connected to my computer, erasing the entire content of my hard drive with a simple “del *.*” command. Only after high school ended, when we started talking again, I learned that before they gave my computer a command to self-destruct, his friends downloaded a 30-page school paper I had written and submitted it under their name. Never losing the chance to be an early adopter, I was a victim of computer-originating theft of intellectual property, in a time when nobody knew what “malware” meant.

That was a different time, when the Internet wasn’t in every household and when there was a feeling of a revolution about to take place. Today, there’s a similar feeling of a revolution in the works. If in the late 90s it was the Internet on desktop machines then today it’s all about mobile. While smart phones have existed for years, only after the introduction of the iPhone did the masses adopt them in droves, making “apps” hotter than mere “websites”. Mobile banking applications were no different, appearing in the various application stores as the flood gates of “apps” opened. Just like mobile itself, not many contend that the future of banking lies in mobile. But as we disconnect from the desktops and connect through our mobile devices, the landscape changes. In a sense, we go back to those naïve days of the late 90s, where device users were not familiar enough with the threats out there simply because they were not as evolved and widespread. That, of course, is changing as quickly as the mobile revolution itself.

When the first anti virus applications for mobile came out, many reviews claimed that “they’re nice, but it’s mainly a gimmick for now.” When these applications first came out, viruses, worms and Trojan Horses were like the Sasquatch – there were rumors, there were talks that they’re real and that they’re coming, but with very little sightings in the wild. Then, on November 2009, Ikee, the first worm targeting jailbroken iPhones was discovered. It wasn’t really malicious, as all it did was replace the wall paper of the phone to a picture of the singer and internet meme Rick Astley.

Just a few weeks later, a truly malicious worm appeared which was designed to steal the user’s online banking credentials. But, as Ikee, it only targeted a very small number of iPhone devices which had to be freed from Apple’s walled-garden approach of iTunes and “jailbroken” to accept apps from other sources. While Apple has taken the walled-garden approach to keep most iOS devices malware free, Google’s Android boasts openness, which didn’t take long for the bad guys to exploit. In August 2010 Kaspersky identified the first Trojan horse targeting Android devices. Multiple discoveries of Android malware followed, but were relatively confined, as they had to be downloaded from 3rd party “app stores” and not Google’s. The official “app stores” were considered much safer and trustworthy for users – and those were indeed the stores that were used by most users. That was until recently, when “Droid Dream” appeared. “Droid Dream” is a rootkit exploit which was discovered in multiple applications available for download not only in 3rd party “app stores”, but also in Google’s official Android Market.

Once installed, the malicious code is designed to steal a large amount of personal data. The attack has led Google to remotely delete these applications from affected users’ devices and has served as yet another sign that the day that malware is as a real of a threat on mobile platforms as it is today on PCs is closer than we may realize. We can already see that as mobile malware becomes more sophisticated, it better circumvents the various security controls put in place by the device manufacturers.

Malware is not the only threat that exists in the mobile space. Fake banking apps, which are relatively similar if not somewhat more sophisticated than phishing attacks, have also been discovered in official “app stores”. Cybercriminals have other motives to target mobile, as they open up money-making options that simply do not exist on the desktop. Examples include malware applications that send text messages to premium numbers opened up by the attacker – raking in a small profit from each infected device. While these types of activities do not affect mobile banking directly, they may act as a catalyst for cybercriminals to adopt mobile as a target platform.

It seems that cybercriminals, similar to the legitimate users, are jumping on the mobile bandwagon and adapting to it relatively quickly. Like in the 90s, this relatively new platform boasts many opportunities for the shrewd cybercriminal, while many users are oblivious to the potential threats. As mobile banking becomes more popular and more users adopt it, it is important to make sure the environment in which mobile banking takes place is as protected as “regular” online banking environments and perhaps even more so. We’ve already started seeing the buds of mobile malware. We can only assume that we’ll start seeing them blossom in the near future.

Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.